Sticking to their well proven practice of systematically rotating impersonated brands, the cybercriminals behind a huge majority of the malicious campaigns that we’ve been profiling recently are once again impersonating Intuit in an attempt to trick its customers into clicking on links exposing them to the client-side exploits served by the Black Hole Exploit Kit.

The following malicious domains also respond to the same IPs:limonadiksec.rugeforceexlusive.rusonatanamore.rulinkrdin.rulemonadiom.rupeneloipin.ruforumibiza.rudonkihotik.rufinitolaco.rucontrolleramo.rufionadix.ru

Although we couldn’t reproduce the client-side exploitation, we’ve already seen the majority of these malicious domains in previously profiled campaigns: